Post navigation

If you’re the owner of a mobile device running Google’s Android mobile OS, the chances are pretty good that your device is vulnerable to attack, according to data from the firm Duo Security.

One in two Android devices that installed Duo’s X-Ray mobile vulnerability assessment software found known, unpatched vulnerabilities on the phone that could be used to take “full control of users’ phones,” according to a post by Duo CTO (and security Ninja) Jon Oberhide.

And the 50% number may be a conservative number, Oberhide warned.

Writing on the company’s blog, Oberhide said that carriers’ conservative approach to rolling out patches to fix Android vulnerabilities is a big part of the problem.

Duo’s X-Ray application was released in July and has already been installed on 20,000 devices – a pretty good data set.

The application collects information on the version of the Android operating system a device is running, the carrier and any potentially vulnerable software.

Oberhide said that vulnerabilities on Android devices are a serious security problem and that vulnerable devices “often remain vulnerable for months and even years.”

“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far,” Oberhide wrote.

Exploitable vulnerabilities are inevitable in complex software applications and operating systems and Duo says that Apple mobile devices like iPhones and iPad could contain vulnerabilities, also.

However, Apple and Google have taken radically different paths to market, with Apple retaining strict control over its operating system and the hardware platform it runs on. That has enabled the Cupertino, California company to easily and quickly push out operating system updates to its entire user base, regardless of carrier.

Google, however, offered its operating system as an open source offering that could run on any hardware.

That’s been great for building a worldwide user base. Carriers and handset makers partnered to roll their own Android devices, each with a different version of the OS and a mélange of different applications and component.

That leaves Android device owners at the mercy of both their carrier and the handset maker if they want to get a security update to patch a serious, remotely exploitable hole; each update from Google has to be tested against a particular hardware platform by the manufacturer, then pushed out through carriers who are reluctant to do anything that might rile their mobile customer base.

“Essentially, in Android ecosystem we are in a worse place than with pre-millennium Windows, before Automatic Updating was released,” said Vanja Svajcer, a principal malware researcher at Sophos. “The main difference is that with Windows we did not have IBM, HP, Toshiba and Dell producing their own versions of the operating system and Best Buy, Walmart and Amazon deciding when to update.”

Svajcer said the current, decentralized system of updates isn’t sustainable: “Something will have to change with Android updating soon if we do not want to witness mass compromises of Android devices of the scale reminiscent Nimda, Code Red and other large Windows outbreaks from the beginning of the decade.”

Oberhide presented the results of his company’s survey of Android devices at the UNITED Security Summit in San Francisco on Friday, September 14.

6 comments on “More than half of Androids have unpatched security holes, research claims”

Even worse is when the manufacturer offers an upgrade (say, LG's Nitro HD upgrade from Gingerbread to ICS), but it only works if you have a Windows machine properly set up. Mac & Linux users can pound sand. Oh, and no OTA updates, either.

Good (scary) information, but what exactly does it mean to me?
I have 4.0.3, so I am 9.6% vulnerable.
Does that mean I have almost a 1 in 10 chance that it has vulnerabilities, or 9.6% of the apps I download have vulnerabilities, or what?
Other than rooting and upgrading to a bootleg Jelly Bean, what can I do to make it better?

Yeah – the issue is really that even if you ARE tech savvy, there's not much to be done. Updates are in the hands of 1) Google, 2) your handset maker (who has to modify GOOG's update to work on their hardware and also maintain the security of their own device drivers 3) the carriers, who have to push out the handset maker's update to their customers. If this sounds like a recipe for inaction – it is! Thanks for reading! –Paul

I just downloaded X-Ray (of course it is not available via Google Play!) and scanned my Droid 4. It is not vulnerable at this time, but I will continue to scan it regularly w/X-Ray, for whatever it is worth to know after the fact.